I would like to use pihole over the internet from the following devices:
- iOS, MacOS, Androide, Firtzbox (a very well-known market for DSL-Rotuer in Germany)
Pihole is supposed to run on two virtual servers in the cloud as a docker container.
The use of port udp/53 is out of question from the following reasons:
- udp/53 is not encrypted
- on udp/53 already runs an authoritative dns server (powerdns), actually it runs behind dnsdist.
- DNS Amplification Attack
- In Germany you get a friendly email from the "Bundesamt für Sicherheit" (BSI) asking you to disable the open resolver on port 53.
Therefore only DoH or DoT can be considered. A VPN is not the perfect solution (energy consumption, no redundancy of the dns server), even the Fritzbox can not handle it.
DoH or DoT is (or soon) supported by the devices.
iOS/MacOS: https://www.techradar.com/news/apple-devices-will-get-encrypted-dns-in-ios-14-and-macos-11
Android: https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/
Fritzbox : https://www.heise.de/newsticker/meldung/FritzOS-7-19-Bessere-WLAN-Verschluesselung-WPA3-fuer-AVMs-Fritzboxen-4597676.html
But I do not find any possibility to activate DoT or DoH in Pihole.
It is not a problem to activate a DoT/DoH proxy in front of pihole, but the client IP address is lost, you only see the IP address of the proxy in pihole gui.
There are instructions to solve this with routing/route maps, but this is only a very unpleasant workaround. Also in Docker this is difficult to implement (or do you have a good manual for it).
I also don't think the implication of DoT or DoH directly in Pihole is a good solution.
Also note that port 443, 53, 853 is not exclusively used by pihole but by other DNS services, so a DNS load balancer must be installed.
it would make much more sense if the developers had a look at the "Proxy ptrotocol". Then you could simply add haproxy or dnsdist (version 1.5 or higher) in front of it and you would have solved the problem.
https://dnsdist.org/advanced/proxyprotocol.html
https://dnsdist.org/guides/dns-over-https.html
https://dnsdist.org/guides/dns-over-tls.html
SOLUTION: Implementation of the "Proxy ptrotocol"
PS: With mmproxy I had unfortunately also no success: https://github.com/path-network/go-mmproxy